The government has set up a committee headed by Justice BN Srikrishna, a former judge of the Supreme Court, to “identify key data protection issues” and “recommend methods of addressing them”. This is not the Indian state’s first foray into the arena of data protection. In 2010, the Department of Personnel and Training had released a discussion paper and in 2012, there was the Report of the Group of Experts on Privacy Law, formed by the now disbanded Planning Commission.

The new committee comes in the backdrop of a high-voltage Supreme Court hearing on whether privacy is a fundamental right, concerns over Aadhaar, the biometric-based 12-digit unique identification number, and the alleged leak of customer data from Reliance Jio’s database. Although “data protection” sounds rather modest and slightly boring, the Srikrishna committee’s report will have far-reaching ramifications on free speech, privacy, big data innovation, trade ties with the West, the ability of intelligence and security agencies to monitor our communications, and the state’s overall power over the citizen.

Demand for data protection

The demand for a data protection law is years old, voiced most strongly by the National Association of Software and Services Companies, one of the most powerful industry lobby groups in India. The association wants a data protection law to enable the information technology and outsourcing industry get more business from the European Union. A data protection law would help India get “data secure” status from the EU. Currently, India is not deemed data secure under Article 25 of the EU’s Data Protection Directive, which governs the transfer of EU citizens’ data to other countries. The association’s effort, though, has not yielded much, not least because it is opposed by one of the most powerful arms of the Indian state – the intelligence agencies.

According to media reports, the intelligence agencies have demanded a blanket exemption from any data protection law. This should not be surprising given that these agencies are soon operationalising the Central Monitoring System, which will grant them the capacity to surveil all communication networks in India, telephonic or online.

But granting a blanket exemption to the intelligence agencies will likely fall foul of the EU law. After Edward Snowden disclosed the extent of American surveillance of the internet in 2013, the EU had declared, “Massive spying on our citizens, companies and leaders is unacceptable. Citizens on both sides of the Atlantic need to be reassured that their data is protected and companies need to know existing agreements are respected and enforced.” Soon after, the European Court of Justice ruled that a treaty allowing companies to transfer data from EU to the United States was in violation of the EU’s data protection law because of the National Security Agency’s mass surveillance of internet companies. That ruling opened a Pandora’s box for internet companies.

In India, there has been little discussion on how the country’s intelligence agencies operate. Most of our intelligence agencies operate under the authority of vague executive orders, and the Parliament does not have a clue about how they operate. In fact, there is a long-pending litigation in the Karnataka High Court challenging the legality of the Intelligence Bureau. Filed by a former officer of the Bureau, it contends that the agency was created in 1887 by the British and lacks any constitutional or statutory foundations.

The only major judicial challenge to the intelligence establishment was mounted in 1996, when the People’s Union for Civil Liberties challenged the government’s phone tapping powers. They wanted phone tapping declared unconstitutional unless it was authorised by a court warrant. The court, however, allowed the executive to conduct phone tapping without any authorisation provided a high-level committee of bureaucrats reviewed the order. Little information is publicly available on the efficacy of these oversight committees. However, given the revelation about the stalking of a lady by two Gujarati politicians, it would be safe to assume that things aren’t working as expected. Less known but equally terrifying is the GVK Bio case, where the company identified a whistle-blower with the help of the Hyderabad police, using the metadata of the whistle-blower’s mobile phone and email. The company, subsequently, started criminal proceedings against the whistle-blower.

No data protection law can be effective unless there is a check on the government’s power to access our data, over the telephone or on the internet. To identify problems in data protection and propose solutions, the Srikrishna committee would have to ask the intelligence agencies, police, and private telecom and internet companies to reveal their playbook.

Need for data innovation

Notwithstanding the lobbying power of the National Association of Software and Services Companies, there is growing realisation that the outsourcing-service business model of India’s big IT companies, which form the association, is losing steam. The recent spate of layoffs brought about by increased automation has sharply bared the limits of this model. Indian techies are finally realising the need to innovate and develop software products. In fact, this realisation has prompted some sections of the software industry to form i-Spirit: Indian Software Product Industry Round Table. In its own words, this lobby aims “to transform India into a hub for new generation software products”. A lot of these new products would be fuelled by big data, much like Google or Facebook. The reason Google and Facebook have been able to develop a large suite of services and provide them virtually free to consumers is that they have harnessed their users’ data to provide advertising and other services.

One key reason attributed to the phenomenal growth of Google and Facebook is that the US does not have an EU-style privacy regime. American internet companies find EU data protection laws bothersome because they restrict how these companies use consumers’ data. To enforce these laws, the EU has an elaborate bureaucracy with the power to levy back-breaking fines on violators. The Americans, on the other hand, follow a system of users and service providers entering into standard form contracts. Although the US has some sector-specific privacy legislation – including for government and financial data – it does not have omnibus data protection legislation like the EU. American companies are thus perceived to be more innovative in the field of big data.

American internet companies such as Google and Facebook find EU data protection laws bothersome because they restrict how these companies use consumers’ data. Photo credit: AFP
American internet companies such as Google and Facebook find EU data protection laws bothersome because they restrict how these companies use consumers’ data. Photo credit: AFP

While the National Association of Software and Services Companies would want European-style data protection legislation so that India can qualify for a data secure status from the EU, more innovative lobbies such as i-Spirit would seek a more relaxed American-style system of voluntary contracts. Aiding the Indian innovators will be the public policy professionals of Google and Facebook. Four years ago, Outlook reported how Google was funding an incredible range of policy ventures in India, from PRS to a centre at the National Law University, and questioning whether the tech giant’s funding was transparent enough. There is little doubt that Google wields formidable soft power in India, not only because it funds policy ventures but also because it is one of the most recognised and trusted internet brands in the country.

There is much to agree with Google’s and Facebook’s approach to data, but the problem is that their dispute resolution clause requires Indians to sue only before courts in California, US. That neither company has provided for a forum in India to resolve the privacy concerns of Indian users gives the impression they aren’t interested in empowering them.

The more complicated question is whether Google and Facebook can circumvent the proposed data protection legislation through private contracts governed by American law. Even today, most US internet companies are clear that the terms of use between them and Indian users are governed by American law, hence the insistence on US courts for enforcement. Should this freedom of contract be respected or should the Indian state nullify all such contracts that don’t abide by Indian law? By doing so, will India unwittingly thwart future start-ups that may have the potential to be the next Google or Facebook, and will Indians lose out on those competing services?

In any event, the US usually bats for Google and Facebook and there is every likelihood this matter be a key sticking point between India and the US, as is the case now between the US and EU.

Effect on trade ties 

One of the key aspects of trade talks in recent years has been data localisation, whereby countries force big data firms to retain data within their territories. This requires the companies to ensure that they set up servers and data banks in each country, so that their citizens’ data is not transmitted to the home countries of the big companies. Forcing companies to locate their servers and data banks domestically makes it easier for national governments to force them to cooperate on surveillance. Last year, China enacted a data protection law with a broad provision on data localisation. India will likely try to have a similar provision in its proposed law. In fact, some years ago, the government tried to force Blackberry to set up local servers in India. Then, Blackberry was one of the few companies providing an encrypted messaging service in the country.

Of late, though, major trade agreements have sought to reportedly prohibit data localisation, including the now junked Trans-Pacific Partnership and the Regional Comprehensive Economic Partnership, which is still being negotiated. The logic for prohibiting data localisation is simple: it increases the cost of business and creates inefficiencies. Since trade talks are a two-way street, India needs to strategise the cost of adopting an aggressive data localisation policy. The Americans are in a fiercely protectionist mode and are likely to lash out against India for any steps that harm US companies such as Facebook and Google. However, as one of the most lucrative markets for Facebook and Google, India does have some negotiating power to push back against the Americans.

Effect on journalism

A less discussed aspect of data protection and privacy laws is the impact they have on free speech. As I have previously explained, the right to privacy has often been invoked by powerful people to stop publication of their biographies or production of biopics. A data protection law that provides for remedies like damages and possibly imprisonment may greatly complicate investigative journalism, which relies on data or information gathered without the permission of the people it belongs to. Consent, after all, is likely to be the centerpiece of any data protection law.

Can the media then carry out stings and record people in private spaces without their permission? What happens if a whistle-blower from a private organisation leaks confidential information? The EU data protection law provides for an exception for journalistic purposes, but the provision is so vaguely worded it can have a chilling effect on journalists. Would the media outlets that broke stories on the Essar leaks, Radia tapes, Birla-Sahara diaries have done so if they risked lawsuits or imprisonment for breach of privacy?

One law for all?

One of the important questions that will have to be settled by the Srikrishna committee is whether the proposed data protection legislation should cover both public and private sectors? Unlike the Indian state, which has a coercive and often paternalistic relationship with the citizen, private companies offer services that are entirely voluntary. If you don’t like Facebook, for example, you are free not to use it.

Should both relationships then be held to the same standard of conduct, and if not, should there be separate laws with a higher onus being placed on the state?

Theoretically, there already exists a privacy right for all personal data held by the government. This right flows from Section 8 of the Right to Information Act, 2005. The Department of Personnel and Training has recognised the width of this right, instructing all ministries and departments to not release any private details disclosed on the Right to Information applications because the same would violate the privacy rights of citizens. The order came after a petition was filed in the Calcutta High Court challenging the government’s practice of publishing all RTI applications without redacting personal details. The logic of this order can be extended to virtually all personal information held by the state. The challenge lies in creating a workable enforcement mechanism, and given the complexity of government in India, this aspect deserves its own special law. At any rate, the Srikrishna committee should consider having two separate laws.

Prashant Reddy is a professor at the National Academy for Legal Studies and Research, Hyderabad. He is the author of India’s Intellectual Property Dilemmas.